The 5 biggest data breaches of all time

It seems that every cyber security report proclaims that data breaches are getting bigger, more common and more expensive. When you think about it, it shouldn’t be too much of a surprise, because organisations are collecting more and more data and the number of reported incidents is growing exponentially.

Nonetheless, it’s incredible to think that the current five largest data breaches were all disclosed in the past two years. Here they are in their ignominious glory:

5. Myspace (2016) – 360 million records

In May 2016, a Russian hacker known as ‘Peace’ tried to sell the contents of several old data breaches. The largest set of data involved email addresses, usernames and weakly hashed passwords from Myspace.

A list of the most popular passwords in the breach included references to Michael Jordan and blink-182, indicating that the breach occurred in the mid-2000s. Although the information was dated, many of the email addresses are still thought to be active, unlike the Myspace accounts they belong to.

4. Adult FriendFinder (2016) – 412 million records

In November 2016, “sex and swingers” site Adult FriendFinder revealed that it had been breached for the second time in a little over a year. The first incident affected a ‘mere’ 3.5 million users, but the second incident leaked information belonging to all 412 million people who had signed up to FriendFinder Networks in its 20-year history, including those who deleted their accounts.

3. Yahoo (2016) – 500 million records

In September 2016, Yahoo finally confirmed reports that someone had breached the company in 2014 and accessed users’ names, email addresses, telephone numbers, dates of birth and hashed passwords.

However, Yahoo corrected one thing the earlier reports got wrong: the breach affected 500 million accounts, not 200 million. In a press release, the company said the “vast majority” of the stolen passwords had been hashed using bcrypt, which is so far thought to be impossible to crack. That is the very thinnest of silver linings.

2. River City Media (2017) – 1.37 billion records

In March 2017, Chris Vickery, a security researcher for MacKeeper, teased a mammoth data breach involving more than a billion records. After a weekend of speculation, he revealed the victim was River City Media, an “illegal spam operation”.

The breach didn’t attract nearly as much attention as many smaller breaches (which, by definition, is almost all of them), presumably because very few people had heard of River City Media. Nonetheless, the breach exposed huge amounts of data, including people’s full names, email addresses, physical addresses and IP addresses, as well as information relating to River City Media, including domain registration records, infrastructure planning, production notes and business affiliations.

1. Yahoo (2016–2017) – 3 billion records

In November 2016, three months after Yahoo announced that 500 million users’ records had been breached, the organisation broke its own unwanted record for the largest breach of all time by disclosing an unrelated incident that affected one billion records.

But it gets worse: Yahoo confirmed that the breach occurred in 2013, meaning it took three years for the organisation to identify and disclose the incident.

And then it gets worse still: in October 2017, Yahoo revised its original estimate, announcing that the breach affected all three billion of its users.

The future of data breaches

It’s hard to imagine a more comprehensive breach than Yahoo’s most recent catastrophe, but recent history suggests that it’s only a matter of time until the next enormous incident.

The GDPR strengthens existing data protection requirements, introduces new ones and gives supervisory authorities greater regulatory powers. Fines for non-compliance could be as high as €20 million or 4% of the organisation’s annual global turnover – whichever is greater.

To put this in context, had the GDPR been in effect during Yahoo’s record breach, the organisation would have been liable for €168 million.

Granted, counterfactual arguments such as this oversimplify the supervisory authority’s role and largely miss the point of the GDPR. Under this ‘what if’ scenario, you could equally argue that Yahoo would have taken steps to comply with the GDPR and prevented the breach altogether – which is exactly what the Regulation’s enforcement actions are there to do.

Maximum fine or not, organisations that fail to comply with the GDPR will face severe punishment and reputational damage. That’s why it’s important to be as prepared as possible.

You can review how prepared you are with our GDPR Gap Analysis. Our data protection consultants will conduct a thorough on-site assessment of your organisation’s privacy management and data protection practices. They will then provide a detailed breakdown by area of your progress and create an action plan that sets out and prioritises the key issues your organisation must address.

About The Author

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology, and is a one-time winner of a kilogram of jelly beans.